Why mail fails...

This document describes reasons why mail doesn't get delivered on the Internet.

During the outbreak of the Code Red (version 1 and 2) I kept track
of the hosts which tried to infect me. I thought I did people a
favour by telling them about their infected machines, but often I
couldn't get in contact with them because of wrong mail-configurations.

To find out who to contact, I did the following:

For host like host.domain.TLD...

...spam abuse@domain.TLD, hostmaster@domain.TLD,
postmaster@domain.TLD and webmaster@domain.TLD
anyway. Yes, only postmaster@domain.TLD has to exist
according to the RFCs, but the other ones often exist. I
needed to contact *anybody* there...

...dig for the SOA record and take the name there:domain.TLD. 2h38m4s IN SOA host.domain.TLD. a-name.domain.TLD (

...went into the whois database and hoped it would give me
some information.

For hosts like <ipaddress>...

...dig for the SOA record of <ipaddress>.in-addr.arpa
and take the name from there.

... went into the arin whois database and hoped it would
give me some information.

At the end there is an overview on which tools used.

Of the more than 250 unique mails I send regarding this worm, I only got
one reply back from somebody who said he would have a look at it... It's
a scary low result.

carlson.chu@CWHKT.COM on Thu, 9 Aug 2001 06:26:28 +0800
The recipient name is not recognized
The MTS-ID of the original message is:
c=hk;a=cwmail;p=cw;l=HKGMSX130108082226QM29HQ97
MSEXCH:IMS:HKT:HK02:HKGMSX13 0 (000C05A6) Unknown Recipient

What is wrong here: the administrative and technical contact for
this domainname does not exist. Too bad the billing contact did
exist, otherwise this problem would have solved itself after a
year.
How to solve: make all the contact-email addresses in the whois-database
valid.

What is wrong here: although the email address
webmaster@shinbiro.com does exist and has one or more
mailboxes it forwards to, there is one mailbox which isn't valid
anymore.
How to solve: check all the aliases in your alias-file for validity.

Mailer problems

Just full

postmaster@giga.net.tw
The intended recipient's mailbox is full.
mail.local: mailbox for user 'clixadmin' is full
554 ... Service unavailable

What is wrong here: The mailboxes of these users are full, they're
probably even never read.
How to solve: make aliases from these users to real address.

What is wrong here: The mailer on ns.sysads.com isn't
configured correctly. It should accept mail for ns.sysads.com.
How to solve: Configure the mailer to accept mail for all its
hostnames. Or create an MX record for all your hosts and make sure
the MX host accepts mail for these hosts. Or change the contact-name
in the DNS zone data.

What is wrong here: The prefered MX record doesn't exist, the
secondary MX record doesn't know it should receive mail for that
domain.
How to solve: Fix your DNS data. Remove all old and obsolete hosts.
Furthermore make sure all hosts which are MX host for a domain
accept mail for that domain.

Bogus DNS data

No reverse lookups

203.250.86.71 - - [05/Aug/2001:20:26:57 +1000] "GET /default.ida?XX

The ipaddress is in use, but there is no reverse data for it.

What is wrong here: In theory, nothing. For real: it will be hard
to track where this user is coming from, who to contact in case of
problems, mail-relays might refuse him access because there is no
reverse lookup.
How to solve: Add a PTR record for this host in the reverse DNS zone.

Invalid reverse lookups

kaset.chandra.ac.th. 23h58m7s IN A 203.154.220.79
79.220.154.203.in-addr.arpa. 8h29m7s IN PTR kaset.chandra.ac.th.220.154.203.in-addr.arpa.

What is wrong here: The reverse data for this host is incorrect.
It's a small configuration error and people will be able to overcome
this. But programs aren't that smart.
How to solve: Make sure your DNS data is correct. Have a . behind
every record.

No MX records

webcam.intercom.com.tw - - [07/Aug/2001:21:58:02 +1000] "GET /defau

Mail to something@intercom.com.tw gave me:

<abuse@intercom.com.tw>: Name service error for domain intercom.com.tw: Host found but no data record of requested type

What is wrong here: There are no MX nor A records for intercom.com.tw!
How to solve: add an MX record for your domain.

Whois problems

Unreachable whois-servers

jet.chonbuk.ac.kr - - [08/Aug/2001:19:11:45 +1000] "GET /default.id

Trying to find out about this at whois.krnic.net, I either
got a connection refused, a timed-out connection or no data at all.

Australia has a distributed resposibility regarding the
whois-database, net.au should be looked up at
whois.connect.com.au.

What is wrong here: There should be one point of contact for each
TLD and ccTLD.
How to solve: Let whois.<ccTLD>nic.net give references
to the whois-server which is responsible for this domain if it
isn't itself.

whois.<insert strange name here>.ccTLD

Not everybody ccTLD has an intuitive name for its whois-server,
for example whois.dns.be (for Belgium) or
whois.domain-registry.nl (for the Netherlands)

How to solve: make a whois.<ccTLD>nic.net for every
ccTLD.

Tools used

There are no special tools used, everything is available on a modern
unix system.

Maybe the whois-client will go further to whois.gandi.net
now, maybe it stops and you have to do the query again at
whois.gandi.net.

Whois-servers for ccTLDs are often known as
whois.<ccTLD>nic.net, but there are exceptions to that
rule: For Belgium go to whois.dns.be, for the Netherlands
go to whois.domain-registry.nl, for Australia it is partly
known in whois.aunic.net, partly somewhere else.